When I became an officer with the US Army, I was expected to give orders. Ensuring I gave the right ones meant that I needed to question everything, and gather as much information as I could in order to come up with the best possible solution based on the information I had. This was the only way I could make decisions that would provide the greatest likelihood of success, while minimising the potential for adverse impact. This way of thinking is something that stuck with me throughout the remainder of my military career, and carried over into my career as a civilian, always questioning: Is there a better way?
In my current life, as a CISO, that means looking at cyber security. Are we gathering the right information to develop the right solution?
My team and I asked ourselves this question about a year ago, when we decided that we wanted to put out a cyber threat report.
In looking at existing reports, we discovered most were restricted to analysing available client data, and therefore only looked at the threat landscape from the perspective of the victim. So we decided to write something that was substantively different, focusing our research on professional hackers and penetration testers - the attackers - thereby providing a virtually unexplored, yet critical perspective.
What we found was quite contrary to the conventional understanding of cybersecurity. We learned which security countermeasures actually prevent breaches, and how organisations identify their presence during an attack. Some countermeasures that you think will stop an attacker won't even slow them down. Other defensive techniques that you think are totally arbitrary actually have a tremendous impact on your defensive posture.
What hackers do
On July 1, 2010, President Barack Obama stated that Cyberspace was the fifth dimension of warfare (the other four being; land, sea, air, and space). What makes this so interesting and unique is that unlike the other dimensions which are dominated by trained members of the armed forces, cyberspace is dominated by civilians with little to no training on how to combat highly trained, motivated, and experienced adversaries.
As a result, year after year we learn that offensive capabilities have far outpaced defensive capabilities; data breaches are more frequent; and attacks are growing increasingly complicated. Detection and response are critically important, yet only marginally effective. So it would seem the industry's approach to cybersecurity over the past two decades leaves something to be desired.
According to our report, the majority of professional hackers (88%) said they could compromise systems in less than 12 hours, and a similar number (81%) said they could identify and take valuable data within another 12 hours, even though the breach may not be discovered for hundreds of days - if they're detected at all.
What's more, half of respondents change their attack methodologies every time they're engaged to compromise a target. Over 70% of respondents to this survey said they spent more than 11 hours a week bypassing security. On top of that, 30% spent 6-10 hours a week researching, and a further 22% spent more than 10 hours a week keeping up with the latest attack trends and methods, including direct server attacks (favoured by 43%), phishing (40%), and drive-by and watering-hole attacks (9%).
This means it's pretty much guaranteed that an organisation will suffer a successful cyberattack, no matter how well-kept the preventative controls are.
Responding to today's security challenges
If you can't prevent a breach, you must be prepared to survive it. The number one most effective countermeasure, according to 36% of professional hackers, was endpoint security. This was followed by intrusion detection and prevention systems (29%), and firewalls (10%). Only 2% of respondents were troubled by antivirus. Interestingly, 22% of professional hackers boasted that no security countermeasures could stop them and that a full compromise was only a matter of time.
For security decision-makers, this result clearly demonstrates the importance of defence in depth rather than relying on any single control. Any individual security control can be defeated by an attacker with enough time and motivation. However, when an organisation uses a combination of controls along with security training, education, and processes, the failure of any single control does not automatically lead to data compromise.
Know your enemy - and know you're secure
In the 6th century BC, General Sun Tzu wrote: "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
In order to protect sensitive data, organisations need to know and understand their adversary, be trained by experts, and given the proper tools to allow them the greatest chance of success. They need to understand that security is more than just a policy on a piece of paper, an antivirus programme, or a group of professionals sitting in a room scanning log events.
It's all of the above, and it's piecing everything together in a way that makes sense. It's their duty to understand the real-life threat landscape. Without this critical feedback loop, there's no way they'll be able to address real-life use cases, protect against the latest threats, or adapt to the latest attack techniques.
Decoding the minds of hackers means we're developing the best solution to real life circumstances.